IT operations teams frequently tell us they have no oversight or responsibility over OT systems that have IP/IT connectivity. At the same time, on the OT operations side, there are no clearly defined areas of responsibility when it comes to cyber-related activities in the OT world.
Fortunately, these discussions are starting to happen as the IT and OT worlds converge. It’s important to understand the areas of convergence and to incorporate Incident Response processes into both the OT and IT sides. The responsibility for Incident Response in the OT world will fall primarily on those who implement ICS, which is the local facility personnel. It’s not the IT cybersecurity team.
Depending on the maturity of the organization, OT operations personnel either have a slight understanding of cybersecurity awareness as it relates to OT or no clue at all. We see both scenarios all the time. Either way, an OT cyber security awareness process should be put in place. Particularly where OT operations are localized and IT personnel are not present or have no operational oversight.
Protecting Your OT Assets
How do you protect your OT environment when you have no idea what you’re protecting?
Regardless of the security framework chosen (i.e., NIST CSF, CIS, ISO 27001, and so on) the fundamentals are pretty much the same. That means you must protect your assets by documenting them, monitoring the potential threats to them, and have a Response-and-Recover process in place to prepare for incidents.
For OT, this is taken several steps further. It’s extremely important to document the OT-IP-IT boundary. You need to understand which OT systems that are connected – some are standalone while others are connected via serial networks that convert to IP. Further, you need to understand the OT systems that connect to an IP network and the IT systems that potentially have access to these OT systems.
Using an established framework – Insight Cyber Group recommends you take a look at NIST CSF – is a fundamental step before any ICS incident response process can be put in place.
There are five key elements that are mandatory when developing an ICS Cybersecurity program:
Asset Management. This is the process of identifying and classifying the ICS assets by type, location, connectivity and criticality classification.
Identity & Access Management. This is where you document who has access to each ICS, how they access it, and why they have access.
Security Controls. Isolating or segmenting the ICS network from the rest of the corporate network is another essential element. This also means isolating other ICS systems from each other. For example: is there any reason why the physical building access network (i.e., badge readers and cameras) requires connectivity to the HVAC system?
Physical Security. This means restricting physical access to the ICS systems and devices. Particularly if the ICS system has a management system that can control multiple PLCs.
Standardization of OT Connectivity &Controls. Automation is the nemesis of OT, but it’s here and it’s something that must be dealt with. With automation comes more connected OT devices, which leads to an aperture in ICS controls if the proper level of standardization and security is not put into place.
All five elements are important, but you can’t diminish the importance of standardization. If OT systems are to be connected through automation, then a standard should be adopted that states the following:
A common approach to network design;
The adequate security controls put in place to protect the OT assets; and
A systematic approach to monitoring not only the OT assets but the connections between the OT-IP-IT boundary.
In a nutshell, there is work to be accomplished before a comprehensive ICS/OT Incident Response process can be put in place. There are essential discovery steps, including risk assessment, that must be accomplished and documented to create an Incident Response plan. As the old saying goes, “you can’t know where you’re going if you don’t know where you came from.”
In upcoming blogs, we’ll look at the nuts and bolts of creating OT Incident Response plans.